Notifications

434 views

Description

Windows Storage sensor gives error 'WMI Disk Drive not found for Disk'. The sensor code assumes the probe will always return an integer 'Number' value, and that value is then used for matching with other values, but this is not the case for some server's disk data in WMI.

The Discovery log may show:

Sensor error when processing Windows - Storage 2012: WMI Disk Drive not found for Diskundefined

Steps to Reproduce

Note: Windows computers that return WMI results with a null Number for a Physical Drive are quite rare. Reproducing the sensor errors would require using 'run again' on an imported ecc queue input for the probe, from a customer that has experienced this issue.

  1. Discovery any Windows Server 2016 computer
  2. Note the error when processing the Sensor for the Storage probe

On inspecting the code it can be see that in the DiscoveryWindows2012StorageSensor script include, on line 55, the string variable nameRegex is appended with disk.Number which can be null. e.g. 'PHYSICALDRIVE' can end up as 'PHYSICALDRIVEnull' in the case where the <Number/> tag has no value in the payload returned for the Windows Storage Probe.

The sensor code assumes the <Number/> tag has a value like "0" or "1", resulting in "PHYSICALDRIVE0" or "PHYSICALDRIVE1" which is then used to match the 'if' condition for the following snippet on line 56:

if (drive.Name.match(nameRegex)) { 
diskDrive = drive;
break;
}
if (diskDrive === null)
throw 'WMI Disk Drive not found for Disk';

When the </Number> tag is null, no regex match is made, and diskDrive then holds null. This results in the sensor throwing the following error- 'WMI Disk Drive not found for Disk'.

Workaround

Ignore the disks with null in their <Number/> tag, to allow the sensor to continue running for other disks.

Note: This is not a fix. Disk information for disks that have no disk.Number value associated with them are not populated into the CMDB.

  1. Update the DiscoveryWindows2012StorageSensor script include, line 52-60: 
var diskDrive = null; 
for (var j = 0; j < result.Win32_DiskDrive.length; ++j) { 
 var drive = result.Win32_DiskDrive[j]; 
   var nameRegex = '\S*?PHYSICALDRIVE';
   if (drive.Name.match(nameRegex)) { 
     diskDrive = drive; 
     break; 
   } 

Related Problem: PRB1189849

Seen In

Jakarta Patch 2
SR - IRM - GRC Profiles - Madrid 2019 Q2
SR - IRM - GRC Workbench - New York 2019 Q3
SR - IRM - Policy and Compliance - Madrid 2019 Q2
SR - IRM - Risk Management - New York 2019 Q3
SR - Security - Integration Framework - Madrid 2019 Q2
SR - Security - Support Common - Madrid 2019 Q2
SR - Security - Support Orchestration - Madrid 2019 Q2
SR - SIR - Security Incident Response - Madrid 2019 Q2
SR - SIR - Store SecOps Setup Assistant - Madrid 2019 Q2
SR - SIR - Store Threat Core - Madrid 2019 Q2
SR - SIR - Store Trusted Security Circles Client - New York 2019 Q3
SR - VR - Qualys - New York 2019 Q3
SR - VR - Vulnerability Response - New York 2019 Q3

Fixed In

New York

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2019-10-09 17:40:51
Published:2019-03-04